Specify Whether to Use Client Certificates (IIS 7)

You must first configure a Server Certificate and create an HTTPS binding to enable any Secure Sockets Layer (SSL) Settings. When you want clients to verify their identity before they access content on your Web server, configure client certificates. By default, client certificates are ignored.

If you want all clients to verify their identity, you must specify that client certificates are required. If some clients can access content without first verifying their identity, you must specify that client certificates are accepted.

Make sure that you are at the site, application, or directory level; SSL Settings are not available at the Server level. To enable client certificates at the file level, navigate to the file in Content View and then click Switch to Features View in the Actions pane.

On the SSL Settings page, optionally select Require SSL. You do not need SSL to Ignore or Accept client certificates.

On the SSL Settings page, in the Client certificates area, use one of the following procedures:

Select Ignore if you do not want to accept a client certificate even if a client presents one.

Select Accept to accept client certificates.

Select Require to require client certificates. To use Require Client Certificates, you must enable Require SSL.

The variable site | URL is the site, application, virtual directory, or file where you want IIS to enable client certificates. For example, to accept client certificates for the Default Web Site, type the following at the command prompt, and then press ENTER:

You can specify one or more of the values for the sslFlags attribute. If you want more than one value, separate each value with a comma (,). For example, to specify a requirement for both SSL and client certificates on the Default Web Site, type the following at the command prompt, and then press ENTER:

When you use Appcmd.exe to configure the access element at the site, application, virtual directory, or file level in IIS 7, you must specify /commit:APPHOST in the command so that configuration changes are made to ApplicationHost.config with an appropriate location tag.